SElinux concerning symlink?

max maximilianbianco at gmail.com
Fri Jul 25 14:22:00 UTC 2008


Stuart Sears wrote:
> Todd Denniston wrote:
>> Stuart
>>
>> Thanks for the recipe.
> 
> you're welcome
> 
>> if /rootlockeddown/ is on NFS, would the following command do part of
>> what is needed? (yet more complexity, but then we do have a real world
>> to live in :)
>>    setsebool -P use_nfs_home_dirs=1
> 
> seems that it might. It basically treats nfs_t the same as user_home_t
> 
> /me smiles inwardly at the idea of NFS being described as "locked down"
> at all.
> 
> 
> 
There is a project ongoing to bring MAC to NFS.

http://selinuxproject.org/page/Labeled_NFS

Dan Walsh's live journal is a good source of information.

http://danwalsh.livejournal.com/

In particular here is the bit from his journal that deals with semanage:

Thursday, July 3rd, 2008(taken from Dan Walsh's live journal)
2:18 pm 	
File Context problems.
If you want to move files to directories that the current policy does 
not know about you should use the semanage command to tell the system 
what to label these files.


# semanage fcontext -a -t httpd_sys_script_exec_t '/myweb/cgi(/.*)?'
# restorecon -R -v /myweb/cgi

Semanage is a good tool for this, since it sets up the machine to 
permanently label these directories with this context.  If the machine 
is later relabeled, this directory will continue to be labeled 
correctly.    system-config-selinux also has a graphical mechanism to do 
this.

Note:
   This is preferred over using chcon, since chcon  might not survive a 
relabel.

If you do this labeling and the policy is updated later on with the same 
or slightly different context, you can have problems.  I have also seen 
packages shipping with semanage commands in their post install to set 
the file context.

You can end up seeing statements like:

/etc/selinux/targeted/contexts/files/file_contexts: Multiple
different specifications for /var/lib/awstats(/.*)?
(system_u:object_r:httpd_sys_script_rw_t:s0 and
system_u:object_r:awstats_var_lib_t:s0).
/etc/selinux/targeted/contexts/files/file_contexts: Multiple
different specifications for /usr/share/awstats/wwwroot/cgi-
bin(/.*)?  (system_u:object_r:httpd_sys_script_exec_t:s0 and
system_u:object_r:httpd_awstats_script_exec_t:s0).

When restorecon, rpm, matchpathcon, setfiles or any other tools that 
reads the systems file context sees a conflict they put out this message.

You can remove the conflict by using semange

# semanage fcontext -d '/var/lib/awstats(/.*)?'

One handy qualifier available at least in semanage on Fedora 9

# semanage fcontext -l -C
SELinux fcontext                                   type 
Context

/etc/glpi(/.*)?                                    all files 
system_u:object_r:httpd_sys_script_rw_t:s0
/var/log/glpi(/.*)?                                all files 
system_u:object_r:httpd_sys_script_rw_t:s0
/var/lib/glpi(/.*)?                                all files 
system_u:object_r:httpd_sys_script_rw_t:s0
/dev/mapper/Volumes-OldWindowsBackup               all files 
system_u:object_r:virt_image_t:s0

This command lists all the local customizations that have been made to 
your system.  This shows that on my system the glpi program must have 
setup special labeling and I labeled an virtual image in /dev/mapper.

You can see similar functionality in system-config-selinux by selecting 
the "File Labeling" list item and then clicking on the "Customized" button.


End excerpt.

Later,

Max

-- 
Fortune favors the BOLD




More information about the users mailing list